I'm using Terraform to create a few services in AWS. One of those services is an ECS task definition. I followed the docs and I keep getting the following error:
aws_ecs_task_definition.github-backup: ClientException: Fargate requires task definition to have execution role ARN to support ECR images.
status code: 400, request id: 84df70ec-94b4-11e8-b116-97f92c6f483f
First of all the task_role_arn
is optional and I can see that a new role was created. I also tried creating a role myself with the permissions required by task definition.
Here's what I have:
Task Definition:
resource "aws_ecs_task_definition" "github-backup" {
family = "${var.task_name}"
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = "${var.fargate_cpu}"
memory = "${var.fargate_memory}"
task_role_arn = "${aws_iam_role.github-role.arn}"
container_definitions = <<DEFINITION
[
{
"cpu": ${var.fargate_cpu},
"image": "${var.image}",
"memory": ${var.fargate_memory},
"name": "github-backup",
"networkMode": "awsvpc"
}
]
DEFINITION
}
IAM policy:
resource "aws_iam_policy" "access_policy" {
name = "github_policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1532966429082",
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::zego-github-backup11"
},
{
"Sid": "Stmt1532967608746",
"Action": "lambda:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
EOF
}
IAM role:
resource "aws_iam_role" "github-role" {
name = "github-backup"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"s3.amazonaws.com",
"lambda.amazonaws.com",
"ecs.amazonaws.com"
]
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
IAM policy attachment:
resource "aws_iam_role_policy_attachment" "test-attach" {
role = "${aws_iam_role.github-role.name}"
policy_arn = "${aws_iam_policy.access_policy.arn}"
}
Terraform plan doesn't show me any error. Only when running Terraform apply do I get this error. I am providing a role with required permissions to task definition and I still get this. What is wrong with this?